Fayetteville Policies and Procedures  309.0

Payment Card Processing

Any office engaged in any form of payment card processing (e.g., POS/swipe or e-commerce) must have the approval of Financial Affairs Credit Card Operations and Cash Management prior to engaging in commerce activity. No University department may enter into any contracts or otherwise arrange for payment transaction processing, or obtain any related equipment, software or services without the involvement and approval of Credit Card Operations and Cash Management.

All payment activity must be established within the centralized University banking and accounting environment with receipts deposited into designated University of Arkansas bank accounts, unless an exception is approved by the Associate Vice Chancellor for Financial Affairs.

The University of Arkansas official online payment system is QPay. All departments wishing to accept online payment card transactions must use QPay, unless a waiver by Credit Card Operations is granted to that department (See Payment Card Usage section below for additional information).

The purpose of this policy is to outline the payment card acceptance methods suitable for university business and the usage restrictions for payment card transactions. Credit Card Operations is responsible for campus compliance with payment card processing and security regulations, and is granted authority to take appropriate action to ensure conformity with University policies and procedures. Appropriate action up to and including suspension or termination of payment card processing activities will be imposed for any University of Arkansas department that violates provisions outlined in the Fayetteville Policies and Procedures 309 series related to payment card processing, security and incident reporting.

Definitions

All terms mentioned in this policy are described in the Payment Card Policies Glossary for the 309 policy series. All campus users of payment card information are required to know and fully understand all terms associated with the 309 policy series.

Payment Card Usage

The University of Arkansas accepts Visa, MasterCard, Discover Card, and American Express payment cards for university business. In addition, departments that accept payments for activities that directly relate to the educational mission of the University may have the option to accept PINless debit transactions for Star, NYCE or Pulse branded cards. University of Arkansas accepts payment ONLY via telephone, walk-in traffic or an approved online portal.

If a department has a specific business operational need that QPay cannot meet, the department can apply for a System Usage Waiver. Departments initiate the waiver request by submitting written justification to Credit Card Operations that explains their need and why QPay cannot adequately support the operation. Waiver requests must be submitted annually to Credit Card Operations, and are evaluated on a case-by-case basis. As part of the waiver application process, Credit Card Operations will conduct a full evaluation of proposed equipment, network structure and remote access privilege use.

In addition, departments applying for a System Usage Waiver must achieve and maintain full compliance with the Fayetteville Policies and Procedures 309 series, legal and industry regulations. A full list of requirements is available in the System Usage Waiver supplement document provided by Credit Card Operations. Any department granted a waiver is responsible for the fiscal costs associated with payment card security as detailed in the Fayetteville Policy and Procedure 309 series.

Acceptable Technology

Credit Card Operations does not publish a list of acceptable technology. Technology usage for each processing environment is evaluated on a case-by-case basis. University of Arkansas departments authorized to accept payment card transactions MUST supply Credit Card Operations with an inventory of all equipment to be used in the processing environment prior to authorization and assignment of merchant account. The inventory shall include –a description of the device, the model number, operating system or firmware information and a DNS/IP address, if applicable. Reports available in the University’s Asset Inventory Management System (AIMS) are acceptable. Departments must notify Credit Card Operations within 7 days of any changes in processing equipment.

The use of wireless or cellular technology for payment card processing is prohibited. Any wireless capable laptop used in the processing environment MUST have the wireless radio disabled while in use within the department processing environment. The use of mobile devices, other than a wired laptop, for payment card processing is prohibited.

As a convenience to customers, departments are permitted to maintain self-service kiosk stations, limited to accessing only the payment application, for customer use while in the department. Credit Card Operations must approve the kiosk technology and equipment prior to use within the payment processing environment. The kiosk is never to be used for web surfing, mail use or any general university applications that do not directly relate to payment processing.

Departmental staff members are prohibited from using Remote Desktop Protocol (RDP) or any Terminal Services application to remote into their campus workstation from another computer to complete a payment card transaction. All terminal services must be disabled while the workstation is in used within the payment card processing environment.

User Access to Processing Environments

Departments authorized to accept payment card transactions will have one or more payment card merchant accounts established by Credit Card Operations. All payment card transactions for the department will flow through this account. As a condition of merchant account assignment, all requirements detailed in the Payment Card Security Policy of the 309 series MUST be met.

Access to the Cardholder Data Environment will be restricted by job duties of each individual. Every user must be assigned a unique User ID and password to access the Cardholder Data Environment. Passwords for users MUST be changed every 90 days. User accounts must also be locked after at a maximum 3 failed login attempts. Accounts inactive for at least 90 days must be removed or locked.

Fees

Each department is responsible for the costs incurred by the University to process its transactions, plus setup fees for any new merchant account. Processing fees will be deducted monthly from a BASIS company cost center. A current fee schedule can be obtained from Credit Card Operations.

In addition, each department is responsible for any hardware, software, setup and/or maintenance costs to maintain the processing environment, including the cost of security scans. Departments may also be required to pay for training and background checks as required by Fayetteville Policies and Procedures.


Reformatted for Web May 28, 2014
November 19, 2010